Date: Thu, 27 Nov 2014 00:25:09 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: jack@...ezen.org
Subject: CVE request: Canto Feed URL Parsing Command Line Injection
Can I get 2013 CVE for Canto feed URL parsing command line injection
vulnerability, thanks.
Project website: http://codezen.org/canto-ng/
Affected versions: All versions prior to v0.9.0
Debian version affected: 0.7.10-4
Canto was later removed from Debian. Versions 0.7.10-4 (wheezy) and 0.7.9-1
(squeeze) are not affected with this payload.
Upstream fix:
https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca
PoCs attached from the original advisory email.
OSVDB: http://osvdb.org/101335
Reported in Debian BTS https://bugs.debian.org/731582 by
<the_walrus_88@...lymail.net>. Quoting the mail:
"""
I have just found a command line injection security vuln in
canto. The program fetches feeds from configured sites, and the
feeds contain URLs that people may want to visit. If a user
starts canto and chooses to go to one URL from one feed, canto
constructs a sh command line to visit the URL, but it doesn't
remove metachars. Therefore a malicious feed (owner turned bad,
man in the middle attack if fetched with http) can put in bad
data in all link and guid elements of the feed and use this to
hack the user when they visit some of the URLs. Not good. See my
conf.py and evil.rss files for an example. Sorry for my English!
"""
In case someone finds more issues you can contact developer via:
http://codezen.org/canto-ng/contact-bugs/
---
Henri Salo
Download attachment "evil.rss" of type "application/x-rss+xml" (1526 bytes)View attachment "conf.py" of type "text/x-python" (75 bytes)Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)